The Ministry of Electronics and Information Technology has released the much anticipated Digital Personal Data Protection Bill 2022. The bill is introduced to process digital data in a manner that recognises both the protection of digital data of individuals and the need for the authority to process data for maintaining law and order in the country. For a better understanding of the concepts and legalities, this bill has been divided into 6 chapters, namely.
Obligations of Data Fiduciary
Rights and Duties of Data Principal
This Piece of writing aims at decoding all the chapters of the latest personal data protection bill 2022
The Data Protection Bill has been under work since the landmark judgment of the Hon’ble SC in KS Puttaswamy Vs Union of India, which elucidated that the right to privacy is a fundamental right and the Government has an obligation to pass legislation to protect the fundamental right of the citizens. After the introduction of the internet, the industrial and social landscape of countries across the globe has seen a drastic change. In this era of digitalisation, consumer data became a commodity and was being used without their consent by the players in the market. It was about time that legislators around the world addressed these issues and protected the rights of their subjects.
The preliminary chapter deals with the commencement, essential definitions, interpretations and the scope of the Data Protection Bill.
Short Title and Commencement
The Act is called the Digital Personal Data Protection Act, 2022 and shall come into force on such date as the Central Government may notify in the official Gazette. The Central Government can appoint different dates for officially enacting various provisions of the Act.
The Data Protection Bill defines all the essential terms and definitions that may give an outlook to the enactment of the provisions: some of the important definitions are as follows:
Automated means any digital process that has the capability to operate automatically, responding to the instructions given to process the data.
Board means the Data Protection Board established by the Act
Child means any person that has not completed the age of 18 years
Data means a representation of facts, information, opinions, instruction or concepts in a manner suitable for interpretation, processing or communication by humans or any automated digital means.
Data Fiduciary is defined as a person who singularly or in a group determines the purpose and meaning of processing of personal data.
A Data Principal means an individual to whom the personal data relates. In case of a person under the age of 18 years the lawful guardian .
Data Processor means any individual responsible for processing the Data on behalf of a Data Fiduciary.
Data Protection Officer means a person appointed under the ambit of this Act by a Significant Data Fiduciary.
Harm means the following;
Theft of identity
Harassment in any manner
Prevention of lawful gain or causes a significant loss
The definition of a person includes the following
Any association of a person or a boy of individuals, whether registered/incorporated or not
Every artificial juristic person
Personal Data is defined as any data that can be related to any person
Personal data breach is defined as the unauthorised processing of personal data or acquisition, use, destruction, alteration of or loss of access to personal data, which comprises the confidentiality, integrity or availability of personal data.
Processing in relation to an automated operation of personal data involves the following collection, organisation, recording, structuring, storage, adaptation, alteration, retrieval, use, alignment or indexing and sharing by transmission, dissemination or otherwise.
Public Interest means in the interest of the following;
Sovereignty and Integrity of India
Security of the state
Maintaining the public order
Relations with the foreign states
Preventing dissemination of false statements of facts
Application of the Bill
The Data Protection Bill is applicable to the following:
The provisions of this shall apply to the processing of Digital Personal Data within the territory of India when it is collected from Data Principals online, and data collected offline and is digitised.
The provisions are also applicable to the processing of personal digital data outside the territory of India if that is in connection to profiling or offering goods or services to Data Principles within the territory of India
The provisions do not apply to the following:
Offline Personal data
Non-automated processing of Personal Data
Personal or domestic processing of Data
Personal data of the individual that is contained on a record for at least 100 years.
Obligations of the Data Fiduciary
As defined earlier in the Data Protection Bill, a data fiduciary is defined as an entity or individual that determines the means & purpose of the processing of data. The data principal should give their consent or be deemed to give their consent to the Data Fiduciary according to the provisions of this Bill. The consent shall only be given for lawful purposes, which essentially means the purpose that is not expressly forbidden by law.
Notice to the Data Principal
Before requesting Consent from the Data Principal, the Data Fiduciary must serve a notice that clearly states the terms and description of the personal data sought to be collected by the Fiduciary. In case the consent has already been given by the Data Principal to the Data Fiduciary before the commencement of this Bill, the Data Fiduciary shall still serve a notice to the Data Principal as soon as possible.
Consent of the Data Principal
The Data Principle shall give consent to the Data Fiduciary in clear and plain language. It should include an affirmative action that signifies the specified purpose that has been drawn out by the arrangement between the parties. The data fiduciary shall also provide the contact details of the DPO or any other person that the Data Fiduciary authorises. The request for consent can be given to the Data Principal in English or any different language prescribed in the eighth schedule of the constitution.
The Data Principal has the right to withdraw the consent he has given to the Data Fiduciary at any time; the consequences are to be borne by the Data Principal in that situation. The data principle has the option to hire a consent manager who can, on their behalf, manage, review or withdraw their consent; the data manager shall be registered with the board. If the two parties have made a contract for service shall not be made conditional on the consent to the processing of personal data.
In case of any dispute between two parties, the Data Fiduciary is obligated to present written notice presented by the Fiduciary along with consent given by the Principal.
In the following condition, the consent is considered to be deemed by the Data Principal.
Voluntarily Supply Data
For the performance of any function under any law or for the benefit of the Data Principal
In compliance with any judgement or order under the law
For any emergency that is a threat to life
For medical treatment or availing health services
For taking safety measures during any disaster or breakdown of public order
For purposes related to employment, including corporate espionage.
General Obligations of the Data Fiduciary
The Data Fiduciary should comply with all the provisions of the Bill or any other laws of the country that may be applicable.
They should make responsible efforts to ensure that the personal data processed by or on behalf of the fiduciary is accurate and complete.
The Data Fiduciary should implement all the organisational or technical measures to ensure effective adherence to the provisions of the Bill.
They should take reasonable security safeguards to protect the important Data.
In case of a breach, the Data Fiduciary shall notify the board and each affected Data Principal in the manner prescribed by the Bill.
They should cease to retain personal data in the following cases
The purpose of the Data is not served by its retention
The retention is not necessary for legal or business purposes
They should publish the Contact details of the DPO and the person who is able to answer on behalf of such Data Fiduciary
There should be a working dispute redressal mechanism for all the grievances of the Data Principals.
Under a valid contract, the Data Fiduciary can appoint one or several data processors and share the personal data with them.
Additional Obligations of personal processing data of Children
The fiduciary shall obtain the parent’s consent before processing the children’s data.
The data processing shall not be done with the intention of causing harm to a child.
They should not track the behavioural monitoring of children.
Rights and Duties of Data Principal under the Data Protection Bill
Right of the Data Principal
The Data protection bill prescribes the following rights to the Data Principal.
Right to Information about the Personal Data
Right to correction or erasure of personal Data
Right to grievance redressal
Right to nominate
Duties of the Data Principle
The Data Principal shall comply with provisions of all the applicable laws while exercising the rights under this Data Protection Bill.
Data Principal should not make false complaints with a Data fiduciary or board.
The data principal shall not provide false particulars and suppress any material function or impersonate another person.
They shall furnish authentic information whilst exercising their right to correction or erasure.
Special Provisions under the Data Protection Bill, 2022
Transfer of Personal Data outside India
The Central Government, after an assessment of factors, may, as it deems necessary, notify the countries to which the Data Fiduciary may Transfer Personal Data in accordance with the terms and conditions that may be prescribed by such Government from time to time.
In the following events, the processing of data without consent shall be exempted.
When the processing of Personal Data is necessary for enforcing any right or claim
For any quasi-judicial or judicial function
In the interest of prevention, detection, and investigation of any offence under the law
Personal data of the Principals outside the territory of the country
The Central Government may provide an exemption if the case is hampering the security and sovereignty of India.
The state or its instrumentality can retain any personal data that it deems fit, even in case of withdrawing the consent.
Data Protection Board of India
The Central Government shall set up the data protection Board of India for the allocation of work, receipt of complaints, formation of groups, making fair hearings, pronouncing the judgement or any other matter they deem fit.
The strength and composition, along with the process of selection and termination, shall be prescribed.
The Central Government shall appoint the management of the board
The Board shall have employees and officers with specified terms and conditions
The Chairperson and members are officers who shall be functioning in pursuance with section 21 and under the definition of Public Servant according to the Indian Penal Code.
There should be no suit, prosecution or other legal proceedings lying against Board or any other members.
Functions of the Board
The major functions of the Board include the following;
To determine any non-compliance with the Data Protection Bill and impose a penalty
To perform any other function, Central Government may prescribe from time to time by the official Gazette
To conduct hearings, write down all the proceedings and issue directions from time to time to make people compliant with the regulations of the Bill.
In case of a personal data breach, it may direct the Fiduciary to adopt any urgent measure to remedy the data breach.
The Board, on a representation, can modify, suspend, withdraw or cancel any directions.
Process and Powers of the Board
There is a process that is to be followed by the board on receipt of any complaints or non-compliance with the Bill, which shall be based on the principles of Natural Justice.
The board has the power to investigate the matter as
There should be an adequate procedure for review and appeal against the order passed by the members. The Data Protection Bill specifies that no Civil Court has the jurisdiction to entertain any suit or to take any action in regard to any matter under the provisions of this Bill.
The board has the power to direct the parties to the matter to an alternative dispute resolution mechanism like mediation. It can direct the parties to mediate by a group of persons designated by the board.
The board has the power to voluntarily undertake any matters related to compliance with this Bill from any person at any stage.
If the board prescribed during the investigation finds that non-compliance by a person is significant, after giving a reasonable opportunity to the party to be heard, it may impose a monetary penalty according to schedule 1 not exceeding Rs. 500 Crores in each instance.
Schedule of Fines in the Data Protection Bill, 2022
Penalty in Rupees
Failure of Data Fiduciary to safeguard and prevent a data breach
Upto 250 Cr.
Failure to communicate to the board or affected Data Principal
Upto 200 Cr.
Non Fulfilment of additional obligations with regard to children
Upto 200 Cr.
Non-fulfilment of additional obligations mentioned in Section 11
Upto 150 Cr.
Non-compliance with Section 16 of the Act
Upto 10 Thousand
Non Compliance with provisions of the Act other than 1-5 or rules made thereunder
Upto 50 Cr.
Power of the Central Government in the Data Protection Bill, 2022
The Central Government has the power to make rules consistent with the provisions to enforce the Act. The rules made by the Central Government shall be laid down after passing from the two houses of the Parliament.
The Central Government also, by notification, make key amendments to schedule 1 of this Act; no notification can increase the penalty to more than double of what it was when the Act was originally enacted.
If there is any difficulty in giving effect to the provisions of the Act, the Central Government should do so before the expiry of 5 years from the date of coming into force of the Act.
Amendments made by the Data Protection Bill
The information technology act is amended in the following manner
Section 43A of the IT Act is omitted
The proviso of Section 81 in the Act or the Digital personal Data Protection Act 2022 shall be inserted.
Section 87(2)(ob) of the IT Act shall be omitted.
The RTI Act has been amended in the following manner.
Section 8 (1)(j) proviso shall be omitted;
The Digital Personal Data Protection Bill 2022 will be presented on the floors of Parliament in the Budget Session. The MeitY has invited feedback by December 17th, 2022 and has assured that the ministry will do no public disclosures of the submissions. The new data protection bill can be game-changing legislation that might change the landscape of using data across the country. This Act also aims to safeguard individuals’ personal data, which will help deplete cybercrimes across the country. It can be said that this Act can be game-changing legislation in the era of the Digital Revolution.
An Advocate by profession, Ankit holds ample experience in curating engaging and informative content relating to the BFSI, Blockchain and Global Expansion domains. He is also well-versed in drafting/vetting documents and holds a keen interest in cyber security laws, taxation, finance and regulatory norms.